Stop setting Strict-Transport-Securty header from within the app

This commit is contained in:
Paweł Chojnacki 2017-03-03 11:05:24 +00:00 committed by Marin Jankovski
parent a9a581567c
commit 76e96878aa
4 changed files with 31 additions and 4 deletions

View file

@ -122,10 +122,6 @@ class ApplicationController < ActionController::Base
headers['X-XSS-Protection'] = '1; mode=block' headers['X-XSS-Protection'] = '1; mode=block'
headers['X-UA-Compatible'] = 'IE=edge' headers['X-UA-Compatible'] = 'IE=edge'
headers['X-Content-Type-Options'] = 'nosniff' headers['X-Content-Type-Options'] = 'nosniff'
# Enabling HSTS for non-standard ports would send clients to the wrong port
if Gitlab.config.gitlab.https && Gitlab.config.gitlab.port == 443
headers['Strict-Transport-Security'] = 'max-age=31536000'
end
end end
def validate_user_service_ticket! def validate_user_service_ticket!

View file

@ -0,0 +1,4 @@
---
title: Stop setting Strict-Transport-Securty header from within the app
merge_request:
author:

24
doc/update/8.17-to-9.0.md Normal file
View file

@ -0,0 +1,24 @@
#### Nginx configuration
Ensure you're still up-to-date with the latest NGINX configuration changes:
```sh
cd /home/git/gitlab
# For HTTPS configurations
git diff origin/8-17-stable:lib/support/nginx/gitlab-ssl origin/9-0-stable:lib/support/nginx/gitlab-ssl
# For HTTP configurations
git diff origin/8-17-stable:lib/support/nginx/gitlab origin/9-0-stable:lib/support/nginx/gitlab
```
If you are using Strict-Transport-Security in your installation to continue using it you must enable it in your Nginx
configuration as GitLab application no longer handles setting it.
If you are using Apache instead of NGINX please see the updated [Apache templates].
Also note that because Apache does not support upstreams behind Unix sockets you
will need to let gitlab-workhorse listen on a TCP port. You can do this
via [/etc/default/gitlab].
[Apache templates]: https://gitlab.com/gitlab-org/gitlab-recipes/tree/master/web-server/apache
[/etc/default/gitlab]: https://gitlab.com/gitlab-org/gitlab-ce/blob/9-0-stable/lib/support/init.d/gitlab.default.example#L38

View file

@ -82,6 +82,9 @@ server {
## ##
# ssl_dhparam /etc/ssl/certs/dhparam.pem; # ssl_dhparam /etc/ssl/certs/dhparam.pem;
## [Optional] Enable HTTP Strict Transport Security
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
## Individual nginx logs for this GitLab vhost ## Individual nginx logs for this GitLab vhost
access_log /var/log/nginx/gitlab_access.log; access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log; error_log /var/log/nginx/gitlab_error.log;